|
Packit Service |
0a38ef |
# -*- coding: utf-8 -*-
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Authors:
|
|
Packit Service |
0a38ef |
# Thomas Woerner <twoerner@redhat.com>
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# Based on ipa-client-install code
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# Copyright (C) 2017 Red Hat
|
|
Packit Service |
0a38ef |
# see file 'COPYING' for use and warranty information
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is free software; you can redistribute it and/or modify
|
|
Packit Service |
0a38ef |
# it under the terms of the GNU General Public License as published by
|
|
Packit Service |
0a38ef |
# the Free Software Foundation, either version 3 of the License, or
|
|
Packit Service |
0a38ef |
# (at your option) any later version.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is distributed in the hope that it will be useful,
|
|
Packit Service |
0a38ef |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
0a38ef |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
0a38ef |
# GNU General Public License for more details.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# You should have received a copy of the GNU General Public License
|
|
Packit Service |
0a38ef |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ANSIBLE_METADATA = {
|
|
Packit Service |
0a38ef |
'metadata_version': '1.0',
|
|
Packit Service |
0a38ef |
'supported_by': 'community',
|
|
Packit Service |
0a38ef |
'status': ['preview'],
|
|
Packit Service |
0a38ef |
}
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
DOCUMENTATION = '''
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
module: ipaclient_test_keytab
|
|
Packit Service |
0a38ef |
short description:
|
|
Packit Service |
0a38ef |
Test if the krb5.keytab on the machine is valid and can be used.
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
Test if the krb5.keytab on the machine is valid and can be used.
|
|
Packit Service |
0a38ef |
A temporary krb5.conf file will be generated to not fail on an invalid one.
|
|
Packit Service |
0a38ef |
options:
|
|
Packit Service |
0a38ef |
servers:
|
|
Packit Service |
0a38ef |
description: Fully qualified name of IPA servers to enroll to
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
domain:
|
|
Packit Service |
0a38ef |
description: Primary DNS domain of the IPA deployment
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
realm:
|
|
Packit Service |
0a38ef |
description: Kerberos realm name of the IPA deployment
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
hostname:
|
|
Packit Service |
0a38ef |
description: Fully qualified name of this host
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
kdc:
|
|
Packit Service |
0a38ef |
description: The name or address of the host running the KDC
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
kinit_attempts:
|
|
Packit Service |
0a38ef |
description: Repeat the request for host Kerberos ticket X times
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
author:
|
|
Packit Service |
0a38ef |
- Thomas Woerner
|
|
Packit Service |
0a38ef |
'''
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
EXAMPLES = '''
|
|
Packit Service |
0a38ef |
# Test IPA with local keytab
|
|
Packit Service |
0a38ef |
- name: Test IPA in force mode with maximum 5 kinit attempts
|
|
Packit Service |
0a38ef |
ipaclient_test_keytab:
|
|
Packit Service |
0a38ef |
servers: ["server1.example.com","server2.example.com"]
|
|
Packit Service |
0a38ef |
domain: example.com
|
|
Packit Service |
0a38ef |
realm: EXAMPLE.COM
|
|
Packit Service |
0a38ef |
kdc: server1.example.com
|
|
Packit Service |
0a38ef |
hostname: client1.example.com
|
|
Packit Service |
0a38ef |
kinit_attempts: 5
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Test IPA with ipadiscovery return values
|
|
Packit Service |
0a38ef |
- name: Join IPA
|
|
Packit Service |
0a38ef |
ipaclient_test_keytab:
|
|
Packit Service |
0a38ef |
servers: "{{ ipadiscovery.servers }}"
|
|
Packit Service |
0a38ef |
domain: "{{ ipadiscovery.domain }}"
|
|
Packit Service |
0a38ef |
realm: "{{ ipadiscovery.realm }}"
|
|
Packit Service |
0a38ef |
kdc: "{{ ipadiscovery.kdc }}"
|
|
Packit Service |
0a38ef |
hostname: "{{ ipadiscovery.hostname }}"
|
|
Packit Service |
0a38ef |
'''
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
RETURN = '''
|
|
Packit Service |
0a38ef |
krb5_keytab_ok:
|
|
Packit Service |
0a38ef |
description: The flag describes if krb5.keytab on the host is usable.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
ca_crt_exists:
|
|
Packit Service |
0a38ef |
description: The flag describes if ca.crt exists.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
krb5_conf_ok:
|
|
Packit Service |
0a38ef |
description: The flag describes if krb5.conf on the host is usable.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
ping_test_ok:
|
|
Packit Service |
0a38ef |
description: The flag describes if ipa ping test succeded.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
'''
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
import os
|
|
Packit Service |
0a38ef |
import tempfile
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
from ansible.module_utils.basic import AnsibleModule
|
|
Packit Service |
0a38ef |
from ansible.module_utils.ansible_ipa_client import (
|
|
Packit Service |
0a38ef |
setup_logging,
|
|
Packit Service |
0a38ef |
SECURE_PATH, paths, kinit_keytab, run, GSSError, configure_krb5_conf
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def main():
|
|
Packit Service |
0a38ef |
module = AnsibleModule(
|
|
Packit Service |
0a38ef |
argument_spec=dict(
|
|
Packit Service |
0a38ef |
servers=dict(required=True, type='list'),
|
|
Packit Service |
0a38ef |
domain=dict(required=True),
|
|
Packit Service |
0a38ef |
realm=dict(required=True),
|
|
Packit Service |
0a38ef |
hostname=dict(required=True),
|
|
Packit Service |
0a38ef |
kdc=dict(required=True),
|
|
Packit Service |
0a38ef |
kinit_attempts=dict(required=False, type='int', default=5),
|
|
Packit Service |
0a38ef |
),
|
|
Packit Service |
0a38ef |
supports_check_mode=True,
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
module._ansible_debug = True
|
|
Packit Service |
0a38ef |
setup_logging()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
servers = module.params.get('servers')
|
|
Packit Service |
0a38ef |
domain = module.params.get('domain')
|
|
Packit Service |
0a38ef |
realm = module.params.get('realm')
|
|
Packit Service |
0a38ef |
hostname = module.params.get('hostname')
|
|
Packit Service |
0a38ef |
kdc = module.params.get('kdc')
|
|
Packit Service |
0a38ef |
kinit_attempts = module.params.get('kinit_attempts')
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
client_domain = hostname[hostname.find(".")+1:]
|
|
Packit Service |
0a38ef |
host_principal = 'host/%s@%s' % (hostname, realm)
|
|
Packit Service |
0a38ef |
sssd = True
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Remove IPA_DNS_CCACHE remain if it exists
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
os.remove(paths.IPA_DNS_CCACHE)
|
|
Packit Service |
0a38ef |
except OSError:
|
|
Packit Service |
0a38ef |
pass
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
krb5_keytab_ok = False
|
|
Packit Service |
0a38ef |
krb5_conf_ok = False
|
|
Packit Service |
0a38ef |
ping_test_ok = False
|
|
Packit Service |
0a38ef |
ca_crt_exists = os.path.exists(paths.IPA_CA_CRT)
|
|
Packit Service |
0a38ef |
env = {'PATH': SECURE_PATH, 'KRB5CCNAME': paths.IPA_DNS_CCACHE}
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# First try: Validate krb5 keytab with system krb5 configuraiton
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
kinit_keytab(host_principal, paths.KRB5_KEYTAB,
|
|
Packit Service |
0a38ef |
paths.IPA_DNS_CCACHE,
|
|
Packit Service |
0a38ef |
config=paths.KRB5_CONF,
|
|
Packit Service |
0a38ef |
attempts=kinit_attempts)
|
|
Packit Service |
0a38ef |
krb5_keytab_ok = True
|
|
Packit Service |
0a38ef |
krb5_conf_ok = True
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Test IPA
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
result = run(["/usr/bin/ipa", "ping"], raiseonerr=False, env=env)
|
|
Packit Service |
0a38ef |
if result.returncode == 0:
|
|
Packit Service |
0a38ef |
ping_test_ok = True
|
|
Packit Service |
0a38ef |
except OSError:
|
|
Packit Service |
0a38ef |
pass
|
|
Packit Service |
0a38ef |
except GSSError:
|
|
Packit Service |
0a38ef |
pass
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Second try: Validate krb5 keytab with temporary krb5
|
|
Packit Service |
0a38ef |
# configuration
|
|
Packit Service |
0a38ef |
if not krb5_conf_ok:
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
(krb_fd, krb_name) = tempfile.mkstemp()
|
|
Packit Service |
0a38ef |
os.close(krb_fd)
|
|
Packit Service |
0a38ef |
configure_krb5_conf(
|
|
Packit Service |
0a38ef |
cli_realm=realm,
|
|
Packit Service |
0a38ef |
cli_domain=domain,
|
|
Packit Service |
0a38ef |
cli_server=servers,
|
|
Packit Service |
0a38ef |
cli_kdc=kdc,
|
|
Packit Service |
0a38ef |
dnsok=False,
|
|
Packit Service |
0a38ef |
filename=krb_name,
|
|
Packit Service |
0a38ef |
client_domain=client_domain,
|
|
Packit Service |
0a38ef |
client_hostname=hostname,
|
|
Packit Service |
0a38ef |
configure_sssd=sssd,
|
|
Packit Service |
0a38ef |
force=False)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
kinit_keytab(host_principal, paths.KRB5_KEYTAB,
|
|
Packit Service |
0a38ef |
paths.IPA_DNS_CCACHE,
|
|
Packit Service |
0a38ef |
config=krb_name,
|
|
Packit Service |
0a38ef |
attempts=kinit_attempts)
|
|
Packit Service |
0a38ef |
krb5_keytab_ok = True
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Test IPA
|
|
Packit Service |
0a38ef |
env['KRB5_CONFIG'] = krb_name
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
result = run(["/usr/bin/ipa", "ping"], raiseonerr=False,
|
|
Packit Service |
0a38ef |
env=env)
|
|
Packit Service |
0a38ef |
if result.returncode == 0:
|
|
Packit Service |
0a38ef |
ping_test_ok = True
|
|
Packit Service |
0a38ef |
except OSError:
|
|
Packit Service |
0a38ef |
pass
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
except GSSError:
|
|
Packit Service |
0a38ef |
pass
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
finally:
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
os.remove(krb_name)
|
|
Packit Service |
0a38ef |
except OSError:
|
|
Packit Service |
0a38ef |
module.fail_json(msg="Could not remove %s" % krb_name)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
module.exit_json(changed=False,
|
|
Packit Service |
0a38ef |
krb5_keytab_ok=krb5_keytab_ok,
|
|
Packit Service |
0a38ef |
krb5_conf_ok=krb5_conf_ok,
|
|
Packit Service |
0a38ef |
ca_crt_exists=ca_crt_exists,
|
|
Packit Service |
0a38ef |
ping_test_ok=ping_test_ok)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if __name__ == '__main__':
|
|
Packit Service |
0a38ef |
main()
|